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Abstract 

We introduce a calculus for tuplices, which are expressions that gen- 
eralize matrices and vectors. Tuplices have an underlying data type for 
quantities that are taken from a zero-totalized field. We start with the core 
tuplix calculus CTC for entries and tests, which are combined using con- 
junctive composition. We define a standard model and prove that CTC 
is relatively complete with respect to it. The core calculus is extended 
with operators for choice, information hiding, scalar multiplication, clear- 
ing and encapsulation. We provide two examples of applications; one 
on incremental financial budgeting, and one on modular financial budget 
design. 



1 Introduction 

In this paper we propose tuplix calculus: a calculus for so-called tuplices, which 
are expressions that generalize matrices and vectors. Tuplices have an underly- 
ing data type called quantities. We shall require that this data type is modeled 
by a zero-totalized field, in the terminology of [HI as will be explained in 
Section ^ A typical example of a tuplix is a budget, a compound of various 
attributes, each of which possesses a certain value (a quantity) and may refer to 
certain conditions and/or interdependencies. Another example of a tuplix is the 
modeling of Zei-expressions in functional programming. We provide a standard 
model for tuplix calculus and discuss some examples of its use. 

A tuplix generalizes a vector or a matrix in that it collects a number of 
quantities from the same data type under a number of names (dimensions of 
the vector, matrix entries). What differs in the design of tuplix calculus from 
matrix or vector calculus is that other methods of compositional construction 
are envisaged. Conjunctive composition extends both vector (matrix) addition 
and set union into a novel compositional mechanism. In addition, 'information 
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hiding' is provided which supports the use of auxiUary values whose name is 
made externally invisible. In order to provide a simple semantic model of this 
form of information hiding, alternative composition of tuplices is included as 
well. Alternative composition, written x + y denotes a tuplix which is either x 
or y. Information hiding is modeled using generalized alternative composition. 
A further key feature of tuplix calculus is the inclusion of conditions as atomic 
tuplices; this is done via a zero-test operator. Finally an encapsulation mech- 
anism is proposed. Encapsulation removes an entry and enforces that it will 
contain quantity zero only. Encapsulation and alternative composition work 
together exactly as in the process algebra ACP [3] from which the typescript 
has been borrowed (see [T] and [TD] for more recent expositions of ACP-style 
process algebra). 

Tuplices constitute a calculus rather than an algebra because information 
hiding introduces bound variables. The motivation for designing tuplix calcu- 
lus came from a number of attempts to design financial budgets in a modular 
fashion. One might call a tuplix a budget but we prefer not to introduce that 
financial connotation by using a mathematically neutral term which can be 
viewed as describing a purely structural notion without any preferred applica- 
tion or even application area. We call tuplix calculus an abstract data type 
calculus. It is based on an algebraic abstract data type but this is augmented 
with operators involving bound variables, notably the generalized alternative 
composition operator. 

The design of tuplix calculus is based on zero-totalized fields because this 
drastically simplifies type checking in general and equational logic in particular 
for fields. That zero-totalized fields are meadows, which in general may feature 
proper zero-divisors as a natural generalization, is of less importance to the 
design of tuplix calculus. 

The paper is structured as follows. Section [2] discusses zero-totalized fields. 
Section [3] introduces the axiom system CTC (Core Tuplix Calculus). We de- 
fine a standard model for the interpretation of tuplices and prove the relative 
completeness of CTC (relative: valid data identities are assumed in the proof 
theory) with respect to this standard model (Section [S]). In the next sections, 
CTC is extended with several operators, starting with alternative composition 
in Section [6l leading to Basic Tuplix Calculus (BTC). Section [7] is an inter- 
mezzo containing some observations on the use of zero tests (zero-test logic). 
Section [8] introduces information hiding to BTC through the binding of data 
variables. Section [9] defines three auxiliary operations including encapsulation. 
Sections 1101 and [TT] present example applications. We end with some concluding 
remarks (Section [T2| . 

2 Cancellation Meadows 

Quantities will be taken from a non-trivial cancellation meadow, or, equivalently, 
from a zero-totalized field, in the terminology of [8l[3]. A zero-totalized field is 
the well-known algebraic structure 'field' with a total operator for division so 
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that the result of division by zero is zero (and, for example, in a 47-totalized 
field one has chosen 47 to represent the result of all divisions by zero) . 

A meadow is a commutative ring with unit equipped with a total unary 
operation (-)^^ named inverse that satisfies the axioms 

(u^^)^^ — u and u ■ {u ■ u^^) — u, 

and in which 0^^ = 0. For quantities (and tuplix calculus) we also require the 
cancellation axiom 

TiT^O & u ■ V = u ■ w =^ V ^ w 

to hold, thus obtaining cancellation meadows, which we take as the mathemat- 
ical structure for quantities, requiring further that 7^ 1 to exclude (trivial) 
one-point models. These axioms for cancellation meadows characterize exactly 
the equational theory of zero-totalized fields 3,. The property of cancellation 
meadows that is exploited in the tuplix calculus is that division by zero yields 
zero, while u ■ = 1 for u ^ 0. 

For the tuplix calculus, we define a data type (signature and axioms) for 
quantities which comprises the constants 0, 1, the binary operators + and •, 
and the unary operators — and (-)~^- We often write u — v instead of u -f (— u), 
u/v instead of u ■ v~^, and uv instead of u ■ v, and we shall omit brackets if 
no confusion can arise following the usual binding conventions. Finally, we use 
numerals in the common way (2 abbreviates 1-1-1, etc.). The axiomatization 
consists of the cancellation axiom 

u ^ & u ■ V = u ■ w ^ V = w, 

the separation axiom 

0/1, 

and the following 10 axioms for meadows (see [3]): 



(u + v) + w 


= u - 


f (u -t- w). 


U + V 


= V - 


f M. 


u + 


= u, 




u + {-u) 


= 0, 




[u • v) ■ w 


= u ■ 


{v ■ w), 


U • V 


= V ■ 


u, 


1-u 


= u, 




u ■ {v + w) 


— u ■ 


V + u ■ w. 


(u-i)-i 


= u, 




u ■ {u ■ u^^) 


— u. 
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The following identities are derivable from the axioms for meadows. 

(o)-^-o 

{u ■ v)^^ — u^^ ■ 
0-u = 

U ■ —V ~ — (li • v) 

— {—u) — u 

Furthermore, the cancellation axiom and axiom u ■ [u ■ u^^) = u imply the 
general inverse law 

u ^ => u- u^^ = 1 

of zero-totalized fields. 

3 Core Tuplix Calculus 

Tuplix calculus builds on the data type defined in Section [2] which specifies non- 
trivial cancellation meadows. We use the letters u, v and w as data variables, 
and the letters p and q to range over (open) data terms. 

We start with a core calculus which can be extended with several operators 
(as is done in later sections). The theory is parametrized with a nonempty set 
A of attributes, ranged over by a and b. We further assume given a countably- 
enumerable set of tuplix variables, ranged over by x, y and z. Wc introduce 
the signature for tuplices. We have constants e (the empty tuplix) and S (the 
null tuplix); the variables are tuplix terms; and there are two further kinds of 
atomic tuplices; entries (attribute- value pairs) of the form 

a{p) 

with a G vl, and p a data term, and, for any data term p, the zero test 

lip) 

(7 ^ A). Finally, the core theory has one binary infix operator: the conjunctive 
composition operator ®. This operator is commutative and associative. 
Axioms: 

x(Dy = y(i)x (Tl) 
{x(Dy)(D z ^ x(D{y(D z) (T2) 
x(J)£ = x (T3) 
x(I)5 = 5 (T4) 
a{u) (D a{v) ^ a{u + v) (T5) 
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7(u) = j{u/u) (T6) 
7(0) - e (T7) 
7(1) = S (T8) 

In this core calculus, a tuplix is a conjunctive composition of tests and 
entries, with e representing an empty tuplix, and S representing an erroneous 
situation which nullifies the entire composition. Entries with the same attribute 
can be combined to a single entry containing the sum of the quantities involved 
(axiom [T5|. 

A zero test 7(p) acts as a conditional: if the argument p equals zero, then 
the test is void and disappears from conjunctive compositions. If the argument 
is not equal to zero, the test nullifies any conjunctive composition containing it. 
Observe how we exploit the property of zero-totalized fields that p/p is always 
defined, and that the division p/p yields zero if p equals zero, and 1 otherwise. 
Further observe that an equality test p — q can be expressed as j{p — q). 

A tuplix term is closed if it is does not contain tuplix variables and also 
does not contain data variables. A tuplix term is tuplix-closed if it does not 
contain tuplix variables (but it may contain data variables). For reasoning 
about tuplices with open data terms, we add the following two axioms: 

^{u)(D-i{v) ^-^{u/u + v/v) (T9) 
7(m - w) (D a(u) = 7(u - w) ® a(i;) (TIO) 

The tuplix calculus is two-sorted. On the tuplix side we have the axioms 
ITlHTlOl and we use the proof rules of equational logic. On the data side, we 
refrain from giving a precise proof theory. We adopt the following rule to lift 
the valid data identities to the tuplix calculus: for all (open) data terms p and 

^ 1= P = 9 imphes 7(p) = 7(9), (De) 

where T) (a non-trivial cancellation meadow) is our model of the data type. This 
axiom system with axioms [TTMTIOI pIus proof rule [De] is denoted by CTC (Core 
Tuplix Calculus). 

4 Canonical Terms and Derived Proof Rules 

A CTC canonical term is a term of the form 

7(Po) CD ai(pi) ® • • • ® ak{pk) ® ® • • • x/, 

for some k,l > 0, and with distinct attributes ai for i — I, . . . , k. 

Lemma 1. Every CTC term is derivably equal to a CTC canonical term. 

Proof. Easy: If it contains the constant S, the term equals the canonical term 
7(1) (using axioms [T4I and ITSP : conjunctive composition is commutative and 
associative; the e constant disappears (axiom [TS]) : entries with same attribute 
are combined using axiom lT5l tests are combined using axiom [T9l (and if there 
are no tests, we add a void 7(0) test using axiom [T7|) . □ 
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The axiom system CTC is powerful enough for our purposes, as is witnessed 
by the completeness result in Section [S) Still, more general proof rules for 
the derivation of identities involving data equalities and substitution of data 
terms can be convenient. For example, we find that CTC derives the "obvious" 
identity 

a{u + v) ~ a(v + u) 

rather indirectly: because {u + v) — {v + u) = will be valid in our data model, 
we have 

-f{{u + v) — {v + u)) — 7(0) 

bv lDsl Then we derive 

a{u + v) — a{u + v) (D ^{{u + u) — (u + u)) ~ a(v + u) 

using axioms [T3l [13 and[T10l 

The following proof rule generalizes De: 

'D^p = q implies t[p/u] = t[q/u], (De+) 

for tuplix terms t and with substitution t[p/u\ defined as usual for two-sorted 
equational logic (replacement of all data variables u in t hy p). The following 
axiom scheme generalizes axiom ITIOI 

t(D'-f{u-p) =t[p/u](D'-f{u-p), (T10+) 

where t ranges over tuplix terms. 

These two rules follow from CTC as we shall now prove. We start with two 
lemmas. 

Lemma 2. For all data terms p and q, 

I? 1= (1 — p/p) ■ q ~ implies CTC h ^{p) — j{p) (D 7(g). 
Proof. Assume that V ^ (1 — p/p) ■ q = 0. Observe that it follows that 

p/p = {p/p + q/q)/{p/p + q/q) 

is a valid identity (check: distinguish cases p ^ and p ^ 0). From this, derive 

lip) = l{p/p) 

= i{{p/p + q/q)/{p/p + q/q)) 
= lip) CD 7(9) 

using [De] and axioms |T6] and US □ 

Note that a test 7((1 — p/p) • q) may be read as the logical implication 'p = 
imphes q — Q\ see also Section [71 
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Lemma 3. The following identity is derivable in CTC. 



7(u) (D j{u — v) = 7(w) ® 7(u — v) 



Proof. Observe that 



( 



1 



u/u + (m — v)/{u — v) 



u/u + [u — v)/{u — v) 



) 



• w = 



('if u — Q and u — v, then v = 0') is vahd in any canceUation meadow. Derive 

7(w) ® 7(u — v) — j{u/u + (u — v)/{u — v)) 

— j{u/u + {u — v)/{u — v)) (D 7(u) 
= 7('u) ® 7(u — w) ® 7(u) 

using Lemma [3] and axiom [T9l The remaining part of the derivation is symmet- 
rical. □ 

We are now ready to derive the two rules. 

• Case De^. Assume that P |= p = g, and let t be a canonical term 
l{po) ® aiiPi) (D • • • (D Okipk) (Dxi(D---(Dxi, 
for some k,l >0. First observe that it follows from V \= p = q that 

\=Pt [p/u] = Pi [q/ u] and V \= pi [p/u] - pi [q/u] = 
for i = 0, . . . , fc. From this and lDsl we derive that 

i{po[p/u]) = j{po[q/u]) 



so we can apply the required substitutions in the entries using axiom IT 101 



liPo) ® aibi) ® • • • ® ak{pk) (Dxi(D---(Dxi, 

for some fc, Z > 0. Observe that for i — 0, . . . , k, 

P 1= (1 - {u-p)/{u-p)) ■ [pi -pi[p/u]). 

Therefore we have by Lemma [5] that 

7(u - p) 7(u - p) ® ^{pi - Pi[p/u]) 

so that we can perform the substitutions in the entries using axiom [TToJ 
and in the test 7(po) using Lemma |31 



and 



ai{Pi[plu]) 



ai{Pi[plu])(D"f{0) 
ai{pi)[p/u](D-f{pi[p/u] ~pi[q/u]), 



• Case ITIO+I Let t be a canonical term 
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5 Standard Model and Relative Completeness 



We interpret tuplix terms in the standard model A4{'D, A), where 2? is the model 
of the data type for quantities, and A is the set of attributes that are used. The 
data model P is required to be a non-trivial cancellation meadow. We write P 
for the domain of V, and for the element of T> that is the interpretation of the 
data term 0. 

The standard model is based on the set 

F^A^V 

of partial functions from A to V which are used to model the entries (the 
attribute- value pairs). The domain for the standard model is the power set 

of the set of partial functions. An element of this power set stands for a number 
of alternatives: for CTC, the interpretation of tuplix terms yields either the 
empty set (the interpretation of 6; absence of alternatives) or a singleton set. 
When we add choice to the theory (see Section [5]), the interpretation may yield 
sets with more than one element. 
Some preliminaries: 

1. For a G A, d € T), let fa.d be the partial function with fa.d{a) = d, and 
fa,d{b) undefined for b ^ a. 

2. We denote by the function in F with /e(a) undefined for all attributes 
a & A] this function will be used in the interpretation of the term e. 

3. Define conjunctive composition (D on elements of F as follows: for a e ^, 
if both / and g are undefined for a, then (/ ® g) is undefined for a; if /(a) 
is defined and g is not defined for a, then (/ ® g)[a) = {g (D /)(a) = /(a); 
and if both / and g are defined for a, then (/ (D g){a) = /(a) -I- g{a). 

The closed terms of CTC are interpreted in the standard model as follows. 

M = 

I otherwise 

Is®tr= {/©<? I / e W, .9 6 Ml 

We say that closed terms s and t are equivalent with respect to the standard 
model if |s] — |t]. Two open terms are equivalent, notation s ~ i, if all their 
closed instantiations are pair- wise equivalent. The axiom system CTC is sound 
with respect to the standard model, i.e., for all (open) tuplix terms s and t, 
CTC \- s^t imphes s - t. 
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Theorem 1. The axiom system CTC is complete with respect to the standard 
model, i.e., for all (open) terms s and t, s t implies CTC \- s ^ t. 

This completeness is relative in the sense that our proof theory assumes, by 
adoption of rule lDEl aU vahd data identities. 

Proof. Suppose s ^ t. Using Lemma[l]we know that s and t are derivably equal 
to canonical terms 

s' = l{Po) ® ai(pi) ® • ■ ■ ® ak{pk) (Dxi(D---(Dxi 

and 

t' 7(90) CD ai(gi) ® • • • CD ak{qk) (D xi (D ■ ■ ■ (D xi 

with k,l > 0. Observe that it follows from s ^ t that we can find canonical 
terms having the same tuplix variables Xi and (mutually distinct) attributes Uj . 

It also follows from s ^ t, that whenever the test 7(^0) succeeds, also the 
test "f{qo) succeeds, and vice versa. Therefore, the cancellation meadow identity 
Po/pq = Qq/qq must be valid. It follows that 

liPa) = 7('7o) 

is derivable using axiom [T6] and [DeI 

It further follows from s t, that whenever the test 7(^0)7 Sind hence also 
7(go)j succeeds, then it must be that pi = qt for i = 1, . . . ,k. A consequence is 
that the cancellation meadow identity 

(1 -Po/Po){Pi -qi) = 

is valid (check: straightforward case distinction on po)- Using Lemma [5] wc find 
that 

7(Po) = 7(Po) CD7(pi - qt). 

Because we also have 7(^0) — liqo) it is easy to see that s' — t' is derivable 
using axiom [TIOl □ 



6 Basic Tuplix Calculus 

The axiom system CTC is extended to Basic Tuplix Calculus (BTC), by ad- 
dition of the binary operator + called alternative composition or choice to the 



signature, and by adoption of the following axioms. 

X + y = y + X (CI) 

{x + y) + z = x + {y + z) (C2) 

X + X — X (C3) 

x + 6 = x (C4) 

2; ® (y + z) = (a; CD ?/) + (x ® z) (C5) 

7(it) + 7(1;) — 7(uu) (C6) 
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Because choice is an associative operator, we shall often omit brackets in re- 
peated apphcations. 

The standard model MiV, A) for CTC is extended to BTC by the following 
interpretation of alternative composition: 

[s+ir='Hu[ti. 

So, the interpretation of a closed term yields a set of alternatives. Note that 
(5 is a zero element for alternative composition: it stands for the absence of 
alternatives (recall that = 0). The axioms [CmC6l are sound with respect to 
the standard model. 

As for CTC, completeness results are relative because, by adoption of proof 
rule IDeI valid data identities may be used in derivations. The axiom system 
BTC is complete for closed (no data variables, no tuplix variables) terms. In 
the proof we use canonical terms: a BTC canonical term is an alternative com- 
position 

ti + ---+tk 

of CTC canonical terms for some fc > (in case fc = 0, this term is defined as 
6) . Clearly, we can derive such a canonical term for every BTC term by pushing 
-|- outward using axiom [C5l 

Theorem 2. For closed terms, BTC is complete with respect to the standard 
model, i.e., for closed terms s and t, s ^ t implies BTC \- s — t. 

Proof. Take closed terms s and t with s ^ t. We may assume for s and t that 
there are respective canonical terms 

si + • • ■ + Sfe and ti + ■ ■ ■ + ti 

such that |si] and ftj} are singleton sets for i = 1, . . . , A: and j — 1, . . . ,1. Since 
|s] — it is clear that for every Si there is a tj such that Si ~ tj, and vice 
versa. By completeness of CTC these are derivably equal. Then, s = t can be 
derived using axioms IC1HC4I □ 

Completeness for open terms (which we did prove for CTC) appears to be 
more involved. We leave this open for future work. 

7 Zero- Test Logic 

We have seen how the zero-test operator j{p) tests the equality p — 0. Using 
axioms lT6l and [DeI it is easy to derive the following identities, which we shall 
often use implicitly in derivations: 

7(u) = 7(-u), 
7(u) = 'y{u/n), 
7(m) = 7(n • u). 
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where n ranges over all non-zero numerals. 

We present some observations on the use of the zero-test operator which lead 
to a simple logic. 

First, the empty tuplix e with e = 7(0) by axiom [T7l mav be read as 'true', 
and the null tuplix S with 6 = 7(1) by axiom [TS] may be read as 'false'. 
Negation. Define the test 'not p = 0' by 

7(p) = 7(1 -P/P)- 
Conjunctive composition of tests may be read as logical conjunction: 

lip) CD 7(9) ^ i{p/p + q/q) 

tests 'p — and q = 0'. 

Alternative composition of tests may be read as logical disjunction: 

lip) + liq) ^ i{pq) 

tests 'p = or g = 0'. 

A formula would then be a tuplix-closed (no tuplix variables) BTC term 
without entries. Any formula can be expressed as a single test lijp) using axioms 
IT7HT9l and lC6[ and the definition of negation. Let (/? range over formulas, and 
write if for the negation of (f. 

We find that this logic has all the usual properties. Clearly, conjunction 
and disjunction are commutative, associative, and idempotent, and it is not 
difficult to derive distributivity, absorption, and double negation elimination. 
The following identities are easily derived as well: 

if + ^^e, (1) 

® = (5, (2) 

+ £ = e, (3) 

Lp(D5 = 5. (4) 

As usual, implication can be defined in terms of negation and disjunction: 

i{p) + i{q) = 7((i - pIp) ■ q) 

tests 'p = implies q — Q\ 

Note. If the absolute operator |_| (with \p\ — p\ip> 0, and \p\ — —p otherwise) 
is added to the signature of the data type, we can also express inequalities: 

i{\q-p\ ^ q-p) 

expresses the test p < q. 
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8 Generalized Alternative Composition 



The generalized alternative composition (or: summation) operator is a 
unary operator that binds data variable u and can be seen as a data-parametric 
generaUzation of the alternative composition operator +. We add this binder to 
the signature of BTC and write FV{t) for the set of free data variables occur- 
ring in tuplix term t. We write Var{p) for the set of data variables occurring 
in data term p (there is no variable binding within data terms). Define sub- 
stitution t[p/u\ as: replace every free occurrence of data variable u in tuplix 
term t by the data term p, such that n o varia bles of p become bound in these 
replacements. E.g., recall the proof rule 1X1 o"^ 

t ® 7(u — p) ~ t[p/u] ® 7(ii — p). 

This rule remains sound in the setting with summation, but application of the 
rule may require the renaming of bound variables in t using axiom [S2l see below, 
so that the substitution can be performed. When considering substitutions we 
shall implicitly assume that bound variables are renamed properly. 

The axiom schemes for are as follows, where s and t range over tuplix 
terms and p ranges over data terms. 

Ej^i liu^FVit) (SI) 

j:j = j:AyM ifv^FVit) (S2) 

= ifu<^FV{s) (S3) 

E„(s + ^) = E„s + E„i (S4) 

E„7("-P)=e iiu^^Varip) (S5) 

E„7(«-p)-e if u(^Var{p) (S6) 

(Recall from Section [7] that 7(1?) is defined as 7(1 —p/p).) 

The standard model for BTC is extended with the following interpretation 
of summation: 

Eti^l I P ^ closed data term}. 

The axiom schemes IS1HS6I are sound with respect to this model. 

Note. A similar summation operator (binding of data variables that generalizes 
alternative composition) is part of the specification language /iCRL |12) , which 
combines the process algebra ACP 4 with equationally specified abstract data 
types. A detailed exposition of a semantics and proof theory for this 'choice 
quantification' in the setting of process algebra can be found in the work of 
Luttik [13j . A corresponding treatment is possible in our case. 

Lemma 4. The following identities are derivable for all data terms p with 
u ^ Var(jp). 

E„(^®7(^-P))=ib/"] (5) 

E„i = t[pH + E„i (6) 

E„i-t[pH+EJi®7("-p)) (7) 
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Proof. Derivation of ([5]): 

E„(i®7("-P)) = En(ib/«]CD7(u-p)) 

= t[p/u] 

using lT10+[ [S3l and [S5l Derivation of dS]): 

EJ = Euit ® liu - p)) + E CD liu - p)) 
= t[p/u] + EJ- 

using [H (II|),[Sl[Cl and ©. Derivation of Q: similar. □ 
Example. We derive 

EJ«(«)a)7(«'-i)) = «(-i) + «(i). 

Proof: from 

7(w2 - 1) = 7((u + - 1)) = -f{u + 1) + -f{u - 1) 
it follows that 

EuHu) (D jiu' - 1)) = Eu(«(«) 0) 7(" + 1)) + EuHu) CD 7(^^ - 1)) 
= a(-l)+a(l) 

using ([5]). 

Example. Let- expressions or let-bindings allow value declarations or partial 
bindings in expressions. The term 

E„(ia3 7(^i-p)) 

characterizes 

let M = p in t. 

Of course, p may contain variables, as for instance 'let u = 7w + 1 in can 
simply be expressed as 

E„(^a)7(w-7w-i)). 
9 Auxiliary Operators 

For BTC with summation, we define three auxiliary operators: scalar multi- 
plication, clearing, and encapsulation. In each case the axioms for choice and 
summation (numbered 6 and 7) can be omitted, for inclusion in axiom system 
CTC or BTC. 
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9.1 Scalar Multiplication 

Scalar multiplication p ■ t multiplies the quantities contained in entries in tuplix 
term t by p. It is specified by means of the following axioms. 



u ■ e 


= e 




(Scl) 


u ■ (5 






(Sc2) 


u ■ 7(w) 


= 7(«) 




(Sc3) 


u ■ a{v) 


= a{u ■ v) 




(Sc4) 


u ■ {x (Dy) 


= u ■ X (D u ■ y 




(Sc5) 


u-{x + y) 


^ u ■ X + u ■ y 




(Sc6) 






if w ^ Var{p) 


(Sc7) 



Axiom Sc7 is an axiom scheme with p ranging over data terms and t ranging 
over tuplix terms. An example with scalar multiplication is given in Section [TOl 

Standard Model. Take the standard model A4{'D,A) as before (see Sec- 
tion [5]). For partial function f G F and value d ^ V, define the scalar multipli- 
cation d ■ f as expected: {d ■ /)(a) — d ■ (/(a)) if /(a) is defined, and undefined 
otherwise. The interpretation of scalar multiplication is defined by 

iP-n = {M-f\fem}. 

9.2 Clearing 

For set of attributes I C A, the operator 

ei{x) 

renames all entries of x with attribute in / to e. It "clears" the attributes 
contained in /. Axioms: 



ei{e) 


— e 


(Cll) 






(C12) 


ei{-f{u)) 


= 7(w) 


(C13) 


£/(a(u)) 


J e if a e / 
1 a{u) otherwise 


(C14) 


ei{x(Dy) 


= ei{x) ® e/(y) 


(C15) 


£i{x + y) 


= ei{x) +e/(y) 


(C16) 






(C17) 



For a set of attributes B <Z A one can think of a function 

Select b{x) = eA\B{x). 
This function allows to focus on those entries with attribute contained in B. 
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standard Model. Take the standard model A4{V,A) as before (see Sec- 
tion [5]). Define the function £/ on elements of F as follows. For partial function 
f & F and attribute a € ^, if /(a) is undefined or a e /, then £/(/)(a) is 
undefined, else e/(/)(a) = /(a). The interpretation of clearing: 

= I /€ Ml- 

9.3 Encapsulation 

Encapsulation can be seen as 'conditional clearing'. For set of attributes H C A, 
the operator dnix) encapsulates all entries in x with attribute a £ H. That is, 
for a G -ff , if the accumulation of quantities in entries with attribute a equals 
zero, the encapsulation on a is considered successful and the a-entries are cleared 
(become s); if the accumulation is not equal to zero, they become null (S). 
This accumulation of quantities is computed per alternative: the encapsulation 
operator distributes over alternative composition. Axioms: 



dH{e)=e (El) 

Oh (5) = S (E2) 

dnhiu)) = 7(w) (E3) 

a^(a(,)) = (E4) 
\a(u) \i a ^ H 

dH{x (D dH{y)) ^ dH{x) (D dH{y) (E5) 

dH{x + y) ^ dnix) + dniy) (E6) 

dHiHj) = HuiMt)) (E7) 



We further define 

dH\jH' {x) = Oh o Oh' {x). 

Standard Model. Take the standard model M.{'D, A) as before. We say that 
a partial function / in F is neutral on attribute a, if either /(a) is undefined or 
/(a) — 0. We interpret encapsulation as follows. 

Idum = {ehU) I / e W, / neutral on aU a G iJ}, 
where eh is as defined in Section [921 

9.4 On the Derivation of Encapsulations 

By the derivation of an encapsulation we mean the elimination of the encap- 
sulation operator by application of its defining axioms from left to right. Of 
course, this elimination is in general only possible for tuplix-closed terms. We 
present some helpful identities and example derivations. 
We start with a lemma. 
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Lemma 5. For all tuplix- closed terms t, if no element of set of attributes H 
occurs in t, then 

dH{t)^t 

and, for any term s, 

dHisQt) = dHis)(Dt 

are derivable. 

Proof. The first identity is easy, using structural induction on term t. Then, 
the second one follows using axiom lE5l 

dnis (Dt)= dnis CD dnit)) = ^^(s) ® ^^(t) = 9^ (s) ® t. 

□ 

When deriving an encapsulation, we generally split the encapsulation up: 
for a G iJ, we have by definition that 

dnit) = dH\{a} od[a}it), 

and we start with d^a}it)- Observe that encapsulation distributes over (gen- 
eralized) alternative composition, so we can push it inward until we reach an 
conjunctive composition in which we assume that the a-entries have been accu- 
mulated into a single entry using axiom [T5l So this yields an application of the 
form 

d{a}iaip)(Dt') 

where a does not occur in t' , so using Lemma [5l this is equal to 

lip)(Dt'. 

Example: 

^^^{a{~3) (D 6(1) (D 6(2) ® 6(-3) ® c(3)) = 5{b}(6(0) ® a(-3) ® c(3)) 

= a{b}(6(0))®a(-3)®c(3) 
= 7(0)CDa(-3)®c(3) 
= a(-3) ® c(3). 

Another example: 

5{a,t}(a(0) ® 6(0)) = d{a} o 5{,}(a(0) ® 6(0)) = 5{,}(a(0)) = e. 

In applications that use information hiding (summation), we typically en- 
counter encapsulations like this one: 

d{aM2) ® EJ«(-«) 0) b{u/2) (D c(u/2))) = 6(1) ® c(l), 

where instantiation of the hidden variable u is enforced by the encapsulation. 



16 



Let's see how to derive such encapsulations. First, we have, for data term p 
with u ^ Var(p), and tuplix-closed term t that does not contain a, 

a{p) ® EJaiq) 0) t) = EuHp + q)o t)- 

Then we easily find that 

haMp) ® Y.uH<i) ® t)) = Euiiip + q)(Dt) 

using Lemma [SJ In the particular case that g = — u we find 

d{a}iaip) CD E„(a(-^) ® 0) = t[p/u] 
using ([5]). Another example: 

5{a}(a(-6) (D EJa(2") CD t)) = E„(7(2^ - 6) CD 

= E„(7(^-3)CD0 
= i[3/w]. 

In the next example, the instantiation is determined within the summation: 

5{a}(E„(«(" + 1) ® K-u/2))) = EJii^ + 1) ® K-"/2)) 

= 6(1/2). 

In a similar way, one can reduce 

5{a}(E„(a(-w) 0) b{u/2) O c(-u/2) CD a(200) O 6(-50) ® c(-150))) 

to 

6(50) CDc(-250). 

10 Example: Incremental Budgeting 

A financial budget is modeled as a tuplix. We let an entry a{p) represent a 
payment: the attribute a is used in the communication between payer and 
payee, and describes or identifies a transaction; we also refer to the attribute 
as the channel of the transaction, and say that the payment occurs along the 
channel. The term p represents the amount of money involved. An entry a(p) 
with p > stands for an obligation to pay amount p along channel a. If p < 0, 
the entry stands for the expected receipt of amount p along a. 

In the following example we consider some annual budgets. In order to 
simplify descriptions it is assumed that various payments are due twice per year 
only, during periods A and B. Attributes of the form a a and ob are used in 
the specification of payments during these respective periods. Examples with 
monthly, weekly or daily payments can be given in a similar fashion. 

Consider a budget -B2006 containing the financial results of some entity in 
year 2006. E.g., take 

B2006 = aA(30) CD aB(30) CD 6a(20) CD 6b(25) CD ca(-107). 
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On the basis of this reahzed budget, an allocated budget for 2007 covering 
corresponding entries could be specified as, e.g., 

^2007 = OA (32) CD aB(32) ® 5a(21) ® 6b(28) CD ca(-116). 

Assuming that a 2008 budget is to be determined without having 2007 real- 
ization figures available, several ways to adapt the 2007 budget to a 2008 budget 
can be imagined. The widespread (and well-documented, see, e.g., [H]) strategy 
of incremental budgeting implies that the 2007 budget is taken as the point of 
departure for designing a 2008 budget. For 2008 one may consider two possible 
budgets: an ad hoc increase of each entry, leading to something like 

B2008 = aA(33) CD aB(33) (D foA(22) CD 6b(30) CD ca(-123), 

or, alternatively, 

^2008 = (1 + (VlOO)) ■ S2007 

which adjusts each 2007 entry with the same inflation percentage i. 

Yet another option for a 2008 budget is to adjust the 2006 realization B2006 
with inflation twice. This yields 

S20O8 - (1 + (VlOO))' • B2006- 

Still another option for the definition of a 2008 budget is the average 

^2008 — (1/2) ■ (-B20O8 ® ^2008) 

of the latter two budgets. 

11 Example: Modular Budget Design 

Modular financial budget design is a necessity in large organizations, assuming 
that budgets are at all used, i.e., that 'beyond budgeting' 2 is not (yet) the 
dominant strategy for financial planning. Financial budgets are probably the 
most complex budgets around which calls for modularity. Surprisingly, however, 
we have not been able to find any literature about the subject of formalized 
modular budget design. In the example of this section we will outline how 
tuplix calculus can support modular budget descriptions in a meaningful way. 
The example is presented in abstract terms but its origin is practical. 

We consider an organization that consists of the following constituents0 

• Part S is a financial source which correlates with production figures. 

• Part C is a control group that dispatches the incoming financial stream to 
the production units and the service center SC. 

^In the practical case behind the example, S is a university division, C represents a graduate 
school, the PUs represent different master programs, SC provides various forms of support 
ranging from student counseling to timetabling, and CAP represents a department from which 
educational staff will be used. 
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• Parts PUi and PU2 arc production units. These units produce the same 
two types of products (type 1 and type 2). 

• Part SC is a shared service center providing services needed by the pro- 
duction units. 

• Part CAP is a capacity group from which both production units draw 
manpower. 

Streams of money between these parts run as depicted in this figure: 



The labels (ai, 02, etc.) on the arrows in this picture are attribute names that 
will be used in the specification of payments. 

The financial source rewards the production by the production units: for 
each product that is produced, a constant reward (depending on the type of the 
product) is allocated to the control group C. The control group will dispatch 
the rewards for both product types to the production units and to the service 
center. The production units receive money from C, and pay money to the 
capacity group in return of junior staff capacity as well as senior staff capacity. 

We specify budgets for the parts S, C, PUi and PU2, and we will examine 
how to compose one joint budget B from these. All budgets involved specify the 
same period of time (e.g., the calendar year 2008). We take a stepwise approach 
and specify the budgets in two phases taking increasingly more aspects into 
account. In the first stage, both production units obtain an equal reward, 
independent of their contribution to the total production. The budgets are 
defined as follows. 

• The financial source S rewards production: for each product of type i 

that is produced (i = 1,2), a constant reward rewardi is allocated to the 
control unit C. For production unit PUj and product type j, the data 
variable 



stands for the number of products of type j produced by PU, during the 
period that is covered. 

The budget: 

Bs = ai{rewardi ■ (nn + n2i)) a2{reward2 ■ (ni2 + ^22)) 

• The control unit C receives the rewards from the financial source. The 
amount paid to the service center SC is a fraction k (a value between 




SC 



riij 
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and 1) of the incoming stream, independently of the use that is made of 
it. It further pays each production unit half of the reward total. (Observe 
that, unless fc = 0, this budget is not balanced: the expenses are higher 
than the income.) 

ai{-u) ® 02 (-f) ® 

c{k ■ {u + v)) (D 

bi{{u + v)/2)(Dh{{u + v)/2)) 

• Budgets for the production units: 

^PUi =Euibi{~u)(Djs,{u/2) (D ssi{u/2)) 
Bpv, = Euib2{~u) (D js^{u/2) Q ss2iu/2)) 

In this first version the production units obtain an equal amount of fund- 
ing, which is spent in equal parts on senior staff (via ssi and SS2) and on 
junior staff (via jsi and jsj). 

The combined budget: 

B = d[a^,a2MM}iBs OBcO Bpul CD SpuJ. 

Wc find 

7(-u — rewardi ■ (rin + ^21) — reward2 ■ («i2 + ^122)) ® 
c{k ■ u) ® jsi(u/4) ® ssi(u/4) (D js2(u/4) CD ss2('«/4)). 

A straightforward derivation of this identity leads to a closed term without 
summation; in the expression above we have introduced a 'let-binding' (see the 
example in Section [5]) with variable u to improve the readability. 

In the second stage of the budget, we take into account that the production 
units need funding proportional to their production volume, and may spend 
their resources on senior staff capacity and junior staff capacity in different 
proportions. Moreover, the control unit also charges the production units for 
the costs of the services provided by SC. This leads to the following refinement 
of the budgets: 

Be = 

ai{-u) ® a2{~v) ® 
k- c{u + v)(S) 

{I - k) ■ (&i((nii/(nii + n2i))u + (ni2/(m2 + "22))^) ® 

&2(("2l/(mi + "2l))w + («22/(m2 + "22))^))) 

Spu, = EJ&i(-«) a)j.Si((l/4)«) (D .ssi((3/4H) 
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Additional phases that take more aspects into account can be easily imag- 
ined. For instance both production units may be given a fixed amount of funding 
independent of production volume and the remaining funding spread in propor- 
tion with production volume. That distribution strategy for C allows one unit 
to proceed when its production is low thus awaiting a next phase with better 
circumstances. 

12 Conclusion 

We have introduced a calculus for tuplices. It has an underlying data type called 
quantities which is required to be modeled by a zero-totalized field. We started 
with the core tuplix calculus CTC for entries and tests, which are combined using 
conjunctive composition. We defined a standard model and proved that CTC is 
relatively complete with respect to it. We further defined operators for choice, 
information hiding, scalar multiplication, clearing and encapsulation. We ended 
with two examples of applications; one on incremental financial budgeting, and 
one on modular financial budget design. 

We refer to [6] for a discussion on the formalization of financial budgets. It 
also contains a more elaborate application of the tuplix calculus in the style of 
the example in Section [TT] 

Further related work seems to be scarce. We mention here the work of Elsas 
et al. [9l [11] on audit theory, and the work of Bergstra and Middelburg [5] 
on computational capital. Both are theoretical approaches that apply process 
theory in the analysis of organizations dealing with money streams: the former 
uses Petri nets, the latter process algebra. In this, they focus more on behavioral 
aspects than we do. 

An immediate issue for future work is the completeness of BTC for open 
terms, and consequently the completeness of BTC with summation. We would 
further like to connect this theory to the formalization of interface groups and 
financial transfer architectures studied in J^. 
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